CLAIM AMENDMENTS 



1 . (Currently Amended) A method of operating a secure network having plurality of 
network nodes, each node comprising one or more ports, the method comprising the 
steps of: 

locating one or more nodes in a secure location; 

Locating locating one or more nodes in a less secure location; 

communicating selected management information from a primary configuration 

node to all other nodes in the secure network, said communicating having 

the sub-steps of, 

a first port on a first node sending said management information to a 
second port on a second node via [[an]] a_communi cation media 
exclusively shared by said first port and said second port; 

allowing no management access to said secure network from nodes 
located in said less secure locations; 

determining a first list of nodes that may send or receive substantive 
communication in the secure network; and 

prior to substantive communication between any two directly-connected 
ports, authenticating a link between said directly connected ports. 

2. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising the 
recognition, operation and succession of primary configuration node. 
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3. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node, (ii) node 
connection controls for designating nodes to participate in the secure network, (iii) 
device connection controls that indicate port relationships in said secure network, 
and (iv) management access controls that restrict management services to a defined 
set of endpoints. 

4. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of the primary configuration node, and (ii) 
node connection controls for designating nodes to participate in the secure network,. 

5. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node, and (ii) 
device connection controls that indicate port relationships in said secure network. 

6. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node, and (ii) 
management access controls that restrict management services to a defined set of 
endpoints. 
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7. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) 
node connection controls for designating nodes to participate in the secure network, 
and (ii) device connection controls that indicate port relationships in said secure 
network. 

8. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising, (i) 
node connection controls for designating nodes to participate in the secure network 
and (ii) management access controls that restrict management services to a defined 
set of endpoints. 

9. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) 
device connection controls that indicate port relationships in said secure network, 
and (ii) management access controls that restrict management services to a defined 
set of endpoints. 

10. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node, (ii) node 
connection controls for designating nodes to participate in the secure network, and 
(iii) device connection controls that indicate port relationships in said secure 
network. 
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11. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node, (ii) node 
connection controls for designating nodes to participate in the secure network, and 
(iii) management access controls that restrict management services to a defined set 
of endpoints. 

12. (Original) The invention of claim 1 wherein said primary configuration node is 
configured or adapted to exclusively control a defined set of management functions 
throughout said secure network, said set of management functions comprising (i) the 
recognition, operation and succession of said primary configuration node (ii) device 
connection controls that indicate port relationships in said secure network, and (iii) 
management access controls that restrict management services to a defined set of 
endpoints. 

13. (Original) The invention of claim 1 wherein the step of allowing no management 
access to said secure network from nodes located in said less secure locations 
comprises the sub-step of distributing a MAC list to every node in said secure 
network, said MAC list comprising an indication of network endpoints from which 
management access is acceptable. 

14. (Original) The invention of claim 13 wherein said network endpoints comprise IP 
addresses. 

15. (Original) The invention of claim 14 wherein said IP addresses are associated with 
access from SNMP or Telnet or HTTP or API. 

16. (Original) The invention of claim 13 wherein said network endpoints comprise 
uniquely identified ports. 

17. (Original) The invention of claim 13 wherein said network endpoints comprise 
uniquely identified nodes resident in said secure network. 
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18. (Original) The invention of claim 1 wherein the step of determining a first list of 
nodes that may send or receive substantive communication in the secure network 
comprises the sub-step of distributing a DCC list to every node in said secure 
network, said DCC list comprising definitions that logically bind a port on said 
primary configuration node to one or more other ports resident in the secure 
network. 

19. (Original) The invention of claim 1 wherein the step of determining a first list of 
nodes that may send or receive substantive communication in the secure network 
comprises the sub-step of distributing a DCC list to every node in said secure 
network, said DCC list comprising definitions that logically bind each port in said 
secure network to one or more other ports resident in said network. 

20. (Original) The invention of claim 19 wherein said ports are identified by a unique 
number. 

21. (Original) The invention of claim 20 wherein said unique number is a world-wide- 
name. 

22. (Original) The invention of claim 1 wherein said directly connected ports are said 
first port and said second port and wherein the step of authenticating a link between 
said directly connected ports comprises the sub-steps of: 

sending a first fact from said first port to said second port; 
at said second node, creating a second-type derivative of said first fact, 
sending said second-type derivative of said first fact from said second port to 
said first port; 

at said first node, storing said second-type derivative of said first fact in a first 
memory; 

sending a second fact from said second port to said first port; 
at said first node, creating a first-type derivative of said second fact; 
sending said first-type derivative of said second fact from said first port to said 
second port; 
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at said second node, storing said first-type derivative of said second fact in a 
second memory; 

sending defined information concerning said first node from said first port to 
said second port; 

sending a third-type derivative of said defined information concerning said first 

node from said first port to said second port; 
at said second node, comparing said defined information concerning said first 

node with said third-type derivative of said defined information concerning 

said first node; 

at said second node, comparing said first type derivative of said second fact 

with said second fact; 
sending defined information concerning said second node from said second port 

to said first port; 

sending a third-type derivative of said defined information concerning said 

second node from said second port to said first port; 
at said first node, comparing said defined information concerning said second 

node with said third-type derivative of said defined information concerning 

said second node; and 
at said first node, comparing said second type derivative of said first fact with 

said first fact. 

23. (Original) The method of claim 22 wherein the step of comparing said defined 
information concerning said second node with said third-type derivative of said 
defined information concerning said second node, comprises the sub-steps of: 

reversing the derivation of the third-type derivative of said defined information 

concerning said second node; and 
comparing the result of said reversal with said defined information concerning 
said second node. 
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24. (Original) The method of claim 22 wherein the step of comparing said defined 
information concerning said second node with said third-type derivative of said 
defined information concerning said second node, comprises the sub-steps of: 

making a third-type derivative of said defined information concerning said 
second node; and 

comparing the made third-type derivative with the received third-type 
derivative. 

25. (Original) The method of claim 22 wherein the step, at said second node, of 
creating a second-type derivative of said first fact comprises the sub-steps of: 

encoding said first fact to yield an encoded first fact; and 
encrypting said encoded first fact. 

26. (Original) The method of claim 25 wherein said encoding is performed by applying 
a hash function. 

27. (Original) The method of claim 25 wherein said encrypting is performed using a 
private key unique to said second node. 

28. (Original) The method of claim 22 wherein said defined information concerning 
said first node comprises encryption key information. 

29. (Original) The method of claim 28 wherein said encryption key information 
comprises a public key uniquely associated with said first node. 

30. (Original) The method of claim 22 wherein said third-type derivative is associated 
with both said second node and said first node. 

31. (Original) The method of claim 30 wherein said third-type derivative is created 
using a private key uniquely associated with an encryption key authority, said 
encryption key authority associated with said first node and said second node. 
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32. (Original) The method of claim 30 wherein said third-type derivative is created 
using a private key uniquely associated with an encryption key authority, said 
encryption key authority being the manufacturer of either said first node or said 
second node. 

33. (Original) The method of claim 22 wherein the step, at said second node, of 
comparing said defined information concerning said first node with said third-type 
derivative of said defined information concerning said first node, comprises the sub- 
steps of: 

reversing said third-type derivative of said defined information concerning said 
first node yielding a reversed third-type derivative; and 

comparing said reversed third-type derivative with said defined information 
concerning said first node. 

34. (Original) The method of claim 33 wherein said step of reversing said third-type 
derivative is performed using a public key uniquely associated with an encryption 
key authority, said encryption key authority associated with said first node and said 
second node. 

35. (Currently Amended) A specific networking node operating in a secure network, 
said secure network having a plurality of network nodes, each node comprising one 
or more ports, said specific networking node comprising: 

a first port on said specific networking node for receiving selected management 
information from a primary configuration node, said first port directly 
communicating with a second port on a second node via [[an]] a 
communication media exclusively shared by said first port and said second 
port; 

a memory for storing (i) management access information, and (ii) device 
connection information specifying nodes or ports that may send or receive 
substantive communication in the secure network; and 
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a processor for causing the authentication of the link between said first port and 
said second port prior to substantive communication between said first and 
second ports^ 

wherein said primary configuration node is configured or adapted to exclusively 
control a defined set of management functions throughout said secure 
network . 

36. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises the recognition, operation and succession of primary 
configuration node. 

37. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to exclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said s e cur e n e twork, said set of management functions 
comprising comprises (D the recognition, operation and succession of said primary 
configuration node, (ii) node connection controls for designating nodes to participate 
in the secure network, (iii) device connection controls that indicate port relationships 
in said secure network, and (iv) management access controls that restrict 
management services to a defined set of endpoints. 

38. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to exclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) the recognition, operation and succession of the primary 
configuration node, and (ii) node connection controls for designating nodes to 
participate in the secure network,. 
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39. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) the recognition, operation and succession of said primary 
configuration node, and (ii) device connection controls that indicate port 
relationships in said secure network. 

40. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) the recognition, operation and succession of said primary 
configuration node, and (ii) management access controls that restrict management 
services to a defined set of endpoints. 

41. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapted to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) node connection controls for designating nodes to 
participate in the secure network, and (ii) device connection controls that indicate 
port relationships in said secure network. 

42. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said s e cur e network, said set of management functions 
compri sing compri ses , (i) node connection controls for designating nodes to 
participate in the secure network and (ii) management access controls that restrict 
management services to a defined set of endpoints. 
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43. (Currently Amended) The invention of claim 35 wherein said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) device connection controls that indicate port relationships 
in said secure network, and (ii) management access controls that restrict 
management services to a defined set of endpoints. 

44. (Currently Amended) The invention of claim 35 wh e r e in said primary configuration 
nod e is configur e d or adapt e d to e xclusiv e ly control a d e fin e d s e t of manag e m e nt 
functions throughout said secure network, said set of management functions 
comprising comprises (i) the recognition, operation and succession of said primary 
configuration node, (ii) node connection controls for designating nodes to participate 
in the secure network, and (iii) device connection controls that indicate port 
relationships in said secure network. 

45. (Currently Amended) The invention of claim 35 wherein said primary configuration 
node is configured or adapted to exclusively control a defined sot of management 
functions throughout said s e cur e n e twork, said set of management functions 
comprising comprises (i) the recognition, operation and succession of said primary 
configuration node, (ii) node connection controls for designating nodes to participate 
in the secure network, and (iii) management access controls that restrict 
management services to a defined set of endpoints. 

46. (Currently Amended) The invention of claim 35 wherein said primary configuration 
node is configured or adapted to exclusively control a defined set of management 
functions throughout said secure network, said set of management functions 
comprising comprises (i) the recognition, operation and succession of said primary 
configuration node (ii) device connection controls that indicate port relationships in 
said secure network, and (iii) management access controls that restrict management 
services to a defined set of endpoints. 
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47. (Currently Amended) The invention of claim 35 wherein said management access 
information comprises a MAC list, said MAC list comprising an indication of 
network endpoints from which management access is acceptable. 

48. (Original) The invention of claim 47 wherein said network endpoints comprise IP 
addresses. 

49. (Original) The invention of claim 48 wherein said IP addresses are associated with 
access from SNMP or Telnet or HTTP or API. 

50. (Original) The invention of claim 47 wherein said network endpoints comprise 
uniquely identified ports. 

51. (Original) The invention of claim 47 wherein said network endpoints comprise 
uniquely identified nodes resident in said secure network. 

52. (Original) The invention of claim 35 wherein said device connection information 
comprises a DCC list, said DCC list comprising definitions that logically bind a port 
on said primary configuration node to one or more other ports resident in the secure 
network. 

53. (Original) The invention of claim 35 wherein said device connection information 
comprises a DCC list, said DCC list comprising definitions that logically bind each 
port in said secure network to one or more other ports resident in said network. 

54. (Original) The invention of claim 53 wherein said one or more other ports are 
identified by a unique number. 

55. (Original) The invention of claim 54 wherein said unique number is a world-wide- 
name. 
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56. (Original) The invention of claim 35 wherein said specific networking node further 
comprises: 

a second memory for storing a first secret fact; 

a third port for sending said secret fact to a third node; 

a fourth port for receiving, 

a second-type derivative of said first secret fact from said third node, 
pre-defined information about said third node, and 

a third-type derivative of said pre-defined information about said third node; 
and 

said processor also for (i) causing a comparison between said first secret fact 
and said second-type derivative of said first secret fact, and (ii) causing a 
comparison between said pre-defined information about said third node and 
said third-type derivative of said pre-defined information about said third 
node. 

57. (Original) The invention of claim 56 wherein said third port and said fourth port 
are the same port. 

58. (Original) The invention of claim 56 wherein said comparison, between said first 
secret fact and said second-type derivative of said first secret fact, includes reversing 
the derivative nature of said second-type derivative of said first secret fact. 

59. (Currently Amended) The invention of claim 56 wherein said comparison, between 
said first secret fact and said second-type derivative of said first secret fact, includes 
creating a second-type derivative of said first secret fact. 

60. (Original) The invention of claim 56 wherein said second-type derivative is 
associated with said third node. 

61. (Original) The invention of claim 56 wherein said third-type derivative is associated 
with said specific networking node and said third node. 

62-71. (Cancelled) 
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72. (Currently Amended) A method of securing a fabric, said fabric having a plurality 
of switches all communicatively coupled together, said method comprising the steps 
of: 

only allowing communication between pre-defined pairs of said d e vic e s 
switches as specified by a network operator; and 

only allowing substantive communication between devices that are on a pre- 
defined list of allowed devices, said pre-defined list stored on a memory in 
each of said plurality of devic e s switches ; and 

only allowing substantive communication between directly connected ports that 
have been mutually authenticated. 

73. (Original) A network comprising: 

a plurality of devices including one or more switching and routing devices, any 
two of said devices able to inter-communicate only by direct links between 
each other, all devices able to inter-communicate by forwarding 
communications through each other; 

all of said devices capable of mutually authenticating directly connected links; 

one or more pre-designated devices for facilitating management-level control of 
the network; and 

all of said devices carrying a list of all devices allowed on the network. 

74. (Original) The invention of claim 73 where the network is a Fibre Channel fabric 
and all the devices are routing and switching devices. 

75. (Original) The invention of claim 73 wherein said pre-designated devices are each 
in a room having a locking mechanism to control human ingress and egress. 
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76. (Currently Amended) A routing device for receiving and directing information in a 
network, comprising: 



a public and private key pair; 

one or more ports for coupling to other routing devices and for authenticating 
said other routing devices and for communicating using said public and 
private key pair; 

a memory for storing a list of all said other routing devices that are allowed to 

substantively communicate on the network; and 
[[a]] at least one logical management access channel that may be disabled 

through network management control. 



77. (Original) The invention of claim 76 where a certificate authority for the public and 
private key pair is not the entity controlling management access to said routing 



78. (Original) The invention of claim 76 further comprising a memory for storing 
distributed time service information. 

79. (Currently Amended) A network configuration entity configured or adapted to 
exclusively control a defined set of management functions throughout a secure 
network, said secure network comprising a plurality of switching devices, said set of 
management functions comprising (i) the recognition, operation and succession of 
the network configuration entity and (ii) switch connection controls for designating 
devices to participate in the secure network, said network configuration entity 
comprising; 



a memory for storing 

an NCE list, said NCE list comprising an indication of each device in the 

network that may operate as said network configuration entity; 
an SCC list, said SCC list comprising an indication of each device 

allowed to participate in said secure network[[..]] J _and 
a first secret fact; 



device 
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a first port for sending said secret fact to a second switch; 

a second port for receiving, 

a second-type derivative of said first secret fact from said second switch, 
pre-defined information about said second switch, and 
a third-type derivative of said pre-defined information about said second 
switch; and 

a processor for (i) causing a comparison between said first secret fact and said 
second-type derivative of said first secret fact, and (ii) causing a 
comparison between said pre-defined information about said second switch 
and said third-type derivative of said pre-defined information about said 
second switch. 

80. (Original) The invention of claim 79 wherein said first port and said second port are 
the same port. 

81. (Original) The invention of claim 79 wherein said comparison, between said first 
secret fact and said second-type derivative of said first secret fact, includes reversing 
the derivative nature of said second-type derivative of said first secret fact. 

82. (Original) The invention of claim 79 wherein said comparison, between said first 
secret fact and said second-type derivative of said first secret fact, includes creating 
a second-type derivative of said first secret fact. 

83. (Original) The invention of claim 79 wherein said second-type derivative is 
associated with said second switch. 

84. (Original) The invention of claim 79 wherein said third-type derivative is associated 
with said network configuration entity and said second switch. 

85. (Original) The invention of claim 79 wherein said pre-defined information about 
said second switch comprises encryption key information. 
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86. (Original) The invention of claim 79 wherein said first secret fact is a 
number. 

87. (Original) The invention of claim 79 wherein said first secret fact is a nonce. 
88-89. (Cancelled) 
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